Cyberthreats are escalating and SOC budgets are tightening. It’s a recipe for disaster, that is, unless you take advantage of new technologies that keep both in check. The fact is, businesses are now spending nearly a third of their cybersecurity budget towards running an in-house SOC, averaging out to $2.86 million per year, according to Ponemon.
Historically, security teams anchored their SOCs with SOAR. In the distant, fading past, this was intended to improve efficiency and drive standardization across incident response activities. SOARs promised to enable organizations to integrate security solutions within the SOC technology stack, filter and prioritize incident data, and automate processes to improve remediation speed. However, reality quickly set in, and SOC teams experienced disconnected and reactive defenses, narrow visibility and event processing capabilities, and limited inflexible integrations that were putting the organization in danger.
Beyond the technical limitations, organizations found that the myriad of hidden costs associated with running SOAR negatively impacted the investment already made in three key areas of the SOC: People, Time, and Technology.
People
When the SOC receives an alert, three levels of analysts typically work together to cover the entire threat lifecycle. Entry level analysts handle the initial triaging and filtering of alerts, escalating legitimate threats to Tier-2/3 analysts for more advanced investigations, and eventual remediation. However, the need for continuous monitoring, troubleshooting, and maintenance of SOAR solutions creates a bottleneck, slowing down the incident response process at every level. According to ESG, 92% of security professionals agree that leveraging a SOAR effectively demands intensive programming/scripting skills, meaning organizations often find themselves allocating one, if not more, FTEs strictly to SOAR management.
Depending on the size and maturity of the organization, staffing an efficient 24/7 SOC may require between 5-10 analysts, with the average entry-level analyst salary hovering around $90,000 annually. The challenge is, the cyber security space is already dealing with a 4 million global shortage of security staff, and Tier-1 analyst roles are so tedious and demanding that employees don’t stay in these positions long due to high stress, and eventual burnout. This shortage has made finding highly skilled and experienced analysts much more difficult, increasing the competitive salaries organizations must offer throughout the recruitment process.
Time
Whether it’s cost associated with increasing staff or labor hours due to overwhelming amounts of disconnected SOAR alerts, the impact of organization downtime when a legitimate threat is missed, or even regulatory compliance fines and reputational damages that are incurred in post-breach recovery. According to IBM’s Cost of a Data Breach Report (2023), the global average cost of a data breach has risen by 15% over the past 3 years, reaching an astronomical $4.45 million dollars.
Improving SOC speed to combat the potential impact of downtime is a key investment area for most organizations, and an area in which SOAR has drastically failed. SOAR’s poorly-scalable architecture and integration rigidity makes the initial implementation and configuration slow, tedious and time-consuming. Once implemented, CISOs and Directors of Cybersecurity commonly report on the mean time to respond (MTTR) to an incident when measuring the efficiency of the SOC. Ironically, the amount of time spent manually triaging, correlating and escalating massive amounts of alerts within a SOAR is often the major contributing factor leading to analyst burnout, and almost 40% of cybersecurity professionals say that their average MTTR is still “months or even years”.
Technology
To help reduce MTTR, especially in this intensely-competitive era of hiring experienced SOC analysts, organizations invest more heavily in technology to arm their security operations center. In 2024, approximately 70% of IT leaders expect to increase their cybersecurity budget, with almost half of that budget being allocated towards the cloud security and incident response solutions that are pertinent to day-to-day SOC responsibilities. Despite significant investments in cybersecurity tooling to increase SOC productivity, many organizations experience the opposite effect.
Security teams are overloaded, trying to protect legacy systems, hybrid infrastructures, and emerging technologies with siloed security solutions that do not have pre-built SOAR integrations allowing them to work in harmony with each other, or third-party threat intelligence feeds. The overabundance of security tools meant to safeguard an organization, ends up contributing to operational deficiency known as stack sprawl, where a lack of integration, limited connectivity, and an overwhelming amount of disconnected event data actually decreases SOC productivity. Even building basic SOC automation playbooks and setting up integrations with existing security solutions can often require custom development or lengthy professional services offered by the SOAR vendor, delaying productivity and decreasing ROI.
Maximize ROI with SOC Hyperautomation
Before signing on the dotted line, organizations need to be aware of the budget-busters of SOAR and other legacy SOC solutions that erode their value, lengthen their ROI, and make them downright expensive. Today, building an efficient SOC and maximizing not only the investment made in SOC solutions, but also the resource investment in people and time, requires Hyperautomation.
SOC teams leveraging Torq Hyperautomation easily integrate any security solution, and build effective automations using AI-prompts or no-code, low-code, and full-code support. Purpose-built AI capabilities that leverage LLMs to understand natural language uplevel Tier-1 analysts to perform Tier-3 tasks at machine speed, without the typical learning curve or need for professional services. By applying automation not only to security solutions, but to repetitive investigation, organization, and escalation tasks as well, Hyperautomation not only reduces the workload of SOC analysts, but enables them to act faster on critical incidents with intelligent, dynamic prioritization. Finally, a secure and extensible, cloud-native, zero-trust architecture eliminates scaling or performance ceilings, while maintaining compliance regardless of which best-of-breed solutions or enterprise architecture the organization is working with.
When building out a SOC, the best way to maximize an organization’s ROI is to protect the three key areas of investment; People, Time, and Technology. Torq Hyperautomation not only protects that investment, but enhances the SOC by automating processes at scale, with ease and efficiency – effectively solving the challenges outlined above, and removing the hidden costs associated with SOAR solutions.
Learn more about how Torq Hyperautomation protects your SOC investment, and download our spotlight report “SOAR is Dead: A Manifesto”. And to see Torq in action, schedule a demo.